14 DAY TRIAL // iTunes 8.1, released yesterday, adds support for syncing with iPod shuffle (3rd generation), a Genius sidebar for your Movies and TV Shows, and many accessibility improvements among other features, while also packing some security enhancements. In a technote posted today, Apple discloses the security fixes included with the iTunes 8.1 update.
Available for Mac OS X v10.4.10 or later, Mac OS X Server v10.4.10 or later, Windows XP or Vista, “Subscribing to a malicious podcast may lead to the disclosure of iTunes username and password,” Apple says. The flaw is described as follows:
A design issue exists in the iTunes podcast feature. A subscription to a malicious podcast may cause an authentication dialog to be presented to the user. This dialog may entice the user to send iTunes credentials to the podcast server. This update addresses the issue by clarifying the origin of the authentication request in the dialog. Credit to Simon Bellwood for reporting this issue. As reported earlier, the security side of iTunes 8.1 also addresses a Windows-specific vulnerability, particularly a potential denial of service when sending a maliciously-crafted DAAP message. Available for Windows XP or Vista, the flaw is described as such:
An infinite loop exists in the handling of iTunes Digital Audio Access Protocol (DAAP) messages. Sending a message containing a maliciously crafted Content-Length parameter in the DAAP header may lead to a denial of service. This update addresses the issue by performing additional validation of DAAP messages. This issue does not affect Mac OS X systems. Credit to Xiaopeng Zhang, Zhenhua Liu, and Junfeng Jia of Fortinet's FortiGuard Global Security Research Team for reporting this issue. Avid Softpedia readers should also be aware of the Chinese hacker that was able to trick iTunes algorithms, stealing several $200 gift cards and selling them for almost one percent of that price over the Internet. The practice seems to continue in China, while Apple has remained silent on the matter.
To upgrade to the latest version of iTunes, use the link below.